<html>
<head><meta charset="utf-8"><title>RustSec audit of binary files · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html">RustSec audit of binary files</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="209192048"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209192048" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209192048">(Sep 05 2020 at 19:21)</a>:</h4>
<p><a href="https://github.com/Shnatsel/rust-audit">https://github.com/Shnatsel/rust-audit</a> and <a href="https://github.com/Shnatsel/binfarce">https://github.com/Shnatsel/binfarce</a> seem to be ready for an release. The only thing left to do is write docs for <a href="http://docs.rs">docs.rs</a>. Feel free to give them a spin.<br>
<strong>TL;DR:</strong> embed the dependency tree in the compiled Rust binary and recover it later.</p>



<a name="209192105"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209192105" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209192105">(Sep 05 2020 at 19:22)</a>:</h4>
<p>I'll make an official release announcement in the next few days, but I'd appreciate if someone could give me feedback on the pre-release</p>



<a name="209192318"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209192318" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209192318">(Sep 05 2020 at 19:28)</a>:</h4>
<p>So far this is using a standalone binary for JSON to Cargo.lock conversion to make this data usable for <code>cargo audit</code>. I'm not sure it's a good solution in the long term.<br>
<span class="user-mention" data-user-id="132721">@Tony Arcieri</span> any preference on how to approach this? Should I keep it as-is, add some kind of flag to <code>cargo audit</code> to make it read the JSON out of a compiled binary, or build a completely standalone tool on top or rustsec crate?</p>



<a name="209196403"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209196403" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209196403">(Sep 05 2020 at 21:17)</a>:</h4>
<p>I think we can add a flag to <code>cargo audit</code> to support the JSON format</p>



<a name="209200550"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209200550" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209200550">(Sep 05 2020 at 23:39)</a>:</h4>
<p>Ah, so keep the extractor binary separate as it is right now but pipe its JSON output to cargo-audit? So that cargo-audit doesn't deal with binaries directly?</p>



<a name="209200612"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209200612" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209200612">(Sep 05 2020 at 23:41)</a>:</h4>
<p>The extraction pipeline is already 100% safe code and doesn't allocate, so I don't really see any reason to keep it in a separate process.</p>



<a name="209247008"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209247008" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209247008">(Sep 06 2020 at 23:47)</a>:</h4>
<p><code>0.1.0-rc0</code> is up on <a href="http://crates.io">crates.io</a> for <code>auditable</code>, <code>auditable-extract</code>, <code>auditable-serde</code> and <code>rust-audit-info</code><br>
You're welcome to kick the tires.<br>
If nothing goes horribly wrong, there should be a v0.1.0 and a release announcement in the next few days</p>



<a name="209327271"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209327271" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209327271">(Sep 07 2020 at 20:57)</a>:</h4>
<p>Release announcement for <code>auditable</code> 0.1.0: <a href="https://hackmd.io/2IWXCCTlSFSDz9_rUakihg">https://hackmd.io/2IWXCCTlSFSDz9_rUakihg</a><br>
I'd appreciate comments/feedback/nits. If there are no comments, this will go live tomorrow.</p>



<a name="209328113"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209328113" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209328113">(Sep 07 2020 at 21:16)</a>:</h4>
<p>Nit: are not nonexistent -&gt; still exist</p>



<a name="209328186"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209328186" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209328186">(Sep 07 2020 at 21:18)</a>:</h4>
<p>Applied, thanks</p>



<a name="209328210"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209328210" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209328210">(Sep 07 2020 at 21:19)</a>:</h4>
<p>Oh wow this looks really cool</p>



<a name="209328223"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209328223" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209328223">(Sep 07 2020 at 21:19)</a>:</h4>
<p>(deleted)</p>



<a name="209328224"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209328224" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209328224">(Sep 07 2020 at 21:19)</a>:</h4>
<p>Rather than giving you the information at compile time, it's giving you the info to find it after you've already compiled it</p>



<a name="209328296"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209328296" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209328296">(Sep 07 2020 at 21:21)</a>:</h4>
<p>Yup! And if uplifted into Cargo and enabled by default, this would let you audit binaries that somebody compiled years ago and left no audit trail whatsoever.</p>



<a name="209328362"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209328362" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209328362">(Sep 07 2020 at 21:23)</a>:</h4>
<blockquote>
<p>Can I read this data using a tool written in a different language?</p>
<p>Yes. </p>
</blockquote>
<p>Ok <em>this</em> is the coolest bit :D</p>



<a name="209440787"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209440787" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209440787">(Sep 08 2020 at 20:35)</a>:</h4>
<p>Announcement is up on Reddit: <a href="https://redd.it/iotx5u">https://redd.it/iotx5u</a></p>



<a name="209440901"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209440901" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209440901">(Sep 08 2020 at 20:36)</a>:</h4>
<p>I want to post to one of the official forums too. Should I post this on internals.* or users.* ?</p>



<a name="209441222"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209441222" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209441222">(Sep 08 2020 at 20:39)</a>:</h4>
<p>I'd put it on users I think</p>



<a name="209441248"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209441248" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209441248">(Sep 08 2020 at 20:39)</a>:</h4>
<p>since it's meant for users ;) not just people contributing to the project</p>



<a name="209441289"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209441289" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209441289">(Sep 08 2020 at 20:39)</a>:</h4>
<p>Users will already see it on Reddit, I kinda want the Cargo devs to see it. Hmm</p>



<a name="209441357"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209441357" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209441357">(Sep 08 2020 at 20:40)</a>:</h4>
<p>In that case I should probably poke them directly <span aria-label="laughing" class="emoji emoji-1f606" role="img" title="laughing">:laughing:</span></p>



<a name="209441395"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209441395" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209441395">(Sep 08 2020 at 20:40)</a>:</h4>
<p><a class="stream" data-stream-id="246057" href="/#narrow/stream/246057-t-cargo">#t-cargo</a> is there for you :P</p>



<a name="209447112"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209447112" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209447112">(Sep 08 2020 at 21:32)</a>:</h4>
<p>given this is a official wg, how about a blog post on rust site (whatever they call it <span aria-label="stuck out tongue" class="emoji emoji-1f61b" role="img" title="stuck out tongue">:stuck_out_tongue:</span> )</p>



<a name="209447543"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209447543" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209447543">(Sep 08 2020 at 21:37)</a>:</h4>
<p>Let's do that if my RFC gets actually merged</p>



<a name="209447801"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209447801" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209447801">(Sep 08 2020 at 21:40)</a>:</h4>
<p>There will be plenty of room for official posts later, provided that this does get accepted into Cargo itself.<br>
Besides, I prefer to stick to the "this is just me doing that and all mistakes are mine" narrative, and it hasn't failed me yet.</p>



<a name="209452148"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RustSec%20audit%20of%20binary%20files/near/209452148" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Eh2406 <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RustSec.20audit.20of.20binary.20files.html#209452148">(Sep 08 2020 at 22:30)</a>:</h4>
<p>Btw as a member of the Cargo team, I have been watching your progress on this and am very excited about it.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>